An issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The django.contrib.auth.forms.PasswordResetForm class, when used in a view implementing password reset flows, allows remote attackers to enumerate user e-mail addresses by sending password reset requests and observing the outcome (only when e-mail sending is consistently failing).
{ "binaries": [ { "binary_name": "python-django", "binary_version": "1.8.7-1ubuntu5.15+esm8" }, { "binary_name": "python-django-common", "binary_version": "1.8.7-1ubuntu5.15+esm8" }, { "binary_name": "python3-django", "binary_version": "1.8.7-1ubuntu5.15+esm8" } ], "priority_reason": "Only allows enumeration of user emails via brute-force approach." }
{ "binaries": [ { "binary_name": "python-django", "binary_version": "1:1.11.11-1ubuntu1.21+esm7" }, { "binary_name": "python-django-common", "binary_version": "1:1.11.11-1ubuntu1.21+esm7" }, { "binary_name": "python3-django", "binary_version": "1:1.11.11-1ubuntu1.21+esm7" } ], "priority_reason": "Only allows enumeration of user emails via brute-force approach.", "availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro" }